{
	"id": "adb8128f-cee6-472c-8693-7c013c4a2b06",
	"created_at": "2026-04-06T00:07:51.061487Z",
	"updated_at": "2026-04-10T13:12:53.649898Z",
	"deleted_at": null,
	"sha1_hash": "cdcbc0f5234b8ed2ce8cf842c89298077726eaa9",
	"title": "AZORult Delivered by GuLoader | Malware Analysis Spotlight | VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1367604,
	"plain_text": "AZORult Delivered by GuLoader | Malware Analysis Spotlight |\r\nVMRay\r\nBy VMRay Labs\r\nPublished: 2020-11-18 · Archived: 2026-04-05 17:12:56 UTC\r\nEarlier this year, in one of our blog posts we covered GuLoader, a downloader outfitted with advanced anti-analysis techniques that has delivered FormBook, NanoCore, LokiBot, and Remcos among others. Recently,\r\nwe’ve observed GuLoader delivering AZORult.\r\nActive for many years, AZORult is an information stealer that has seen many iterations and is typically spread via\r\nspam emails or malicious software.\r\nGuLoader’s evasive techniques coupled with AZORult’s information-stealing capabilities make this an interesting\r\ncombination for an attacker to hit their target.\r\nIn this Malware Analysis Spotlight, we will analyze a delivery chain that uses malicious e-mail attachments and\r\nGuLoader to spread AZORult.\r\nAnalysis of the AZORult Delivery Chain\r\nOur investigation started from a single sample that matched our AZORult v3 network communication YARA rule.\r\nWe decided to get more background information and look for the delivery method. The delivery payload turned\r\nout to be an RTF document delivered as an email attachment (Figure 1) and exploiting a vulnerability in one of\r\nMicrosoft’s Office products.\r\nStarting from the email, the attack actually contained three steps and downloaded two payloads during its\r\nexecution. At least one of the payloads was AZORult. We also investigated the other parts of the executions chain\r\nand it turned out that the infamous GuLoader was used as one of the links in the execution chain.\r\nhttps://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/\r\nPage 1 of 5\n\nThe document is abusing the equation editor (CVE-2017-11882) vulnerability to achieve execution on the victim’s\r\nmachine. This leads to the download and execution of the next payload which is GuLoader (Figure 2).\r\nIn our investigation, we found multiple unique domains responsible for hosting the GuLoader payload (see list of\r\nIOCs) associated with similar spam emails leveraging this type of execution chain.\r\nhttps://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/\r\nPage 2 of 5\n\nAs we have described in one of our previous Threat Bulletin, GuLoader is equipped with advanced anti-analysis,\r\nsandbox detection, and evasion techniques to increase its chances of delivering malware to its intended target.\r\nIn the VMRay Analyzer Report, we observed the typical behavior of GuLoader, using shellcode in two instances\r\n(processes). The shellcode uses its advanced techniques to thwart dynamic analysis followed by the final payload\r\ndownloaded from a publicly available cloud provider.\r\nCompared to the previously analyzed GuLoader samples, this one shows additional behavior in the enumeration\r\nof products currently advertised/installed (MsiEnumProductsA) and services (EnumServicesStatusA) (Figure 3).\r\nThis might be an indicator of further detection or evasion techniques present in this GuLoader sample.\r\nhttps://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/\r\nPage 3 of 5\n\nAZORult’s Behavior\r\nFrom this point on, the behavior of AZORult is visible. AZORult is an information stealer that targets login\r\ncredentials, cookies, cryptocurrency wallets, and more (Figure 5).\r\nAZORult v3 always appends the XOR key used to encrypt the following message sent to its C\u0026C at the beginning\r\nof the message. Thus, the initial communication always starts with three NUL bytes followed by an XOR\r\nencrypted ID hash (Figure 6). In our investigation, we found multiple servers used as its C\u0026C (see IOCs) that all\r\ncontain the same path.\r\nConclusion\r\nBy using GuLoader in the delivery chain, the attackers can profit from the many features provided by GuLoader\r\nthat are not offered by AZORult on its own. This obstructs dynamic analysis, complicates manual analysis and\r\nprovides a flexible, easy distribution of tasks to the attacker without the requirement of advanced specialized\r\nknowledge. Despite all that, the VMRay Analyzer monitored the complete delivery chain from the initial RTF\r\ndocument to the final payload.\r\nAs mentioned before, these documents are sent via spam emails which are typical attack vectors that attackers use\r\nas an entry into the network. Including the VMRay Email Threat Defender (ETD) in the network helps to detect\r\nand prevent such attacks.\r\nhttps://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/\r\nPage 4 of 5\n\nDocuments\r\n5ff8a87fd7626d4beab7a5be7f285f1d1d64478509f27aca6fd9deb3f69155e7\r\n9a5f4116b1be763a38e25cb14869b57daf9ae4fe1c2e72adc433eccc95d5f539\r\n08df240668051225b392d88174dadd0db2703ee1ba93c62e3b020cb2be188c17\r\n6a39c54717f2c9f76f5cf9bde58ca256ab1ed77985b3f590d3797fd6655c19ac\r\nf0fb1c2a2150e9a33488974952af6c8f0cd52d463ab656e36d17b7d224d04f8e\r\ncc88795da896ebd8df6fdd996179ae53285c021b0d7437fa9bffca4e5fbc0473\r\nd0f83c5b91494e26b3c0cc108aa43f6865a17eee870a28f1f7d89669e177d279\r\n3bd6858a664535a00192021b4b89ab96d47fcf08c32fee5ea97ded3099e39ba8\r\nGuLoader using\r\nMsiEnumProducts\r\ne000b0cae7df0753ea12d97175e393bacf905613eef1a59d7e1784a913993f58\r\n1e6a09e38553c090a119156022d61670adf96f8a635a3dac11f11dd395c107ba\r\n4487e0798fb74f9891c48625b3a189dbd1e05e2c400cd710f4ea0bdf03b9adbd\r\nc256466dc256d55f7cba0f1c2201f208b82deabd903dd3a71a4e7989e6a61ff7\r\nc87290bb28696eddacaadc0f01805f841bda964d55efa9c39d0a06f1d31ede3b\r\n1623c45e067729ec3b334294da18855e0e5312fd4d9d28f95d4e38b074255892\r\nb5389059c8b005b1968197bb1bb38edc024501c02bf8941d287b1c01358b121a\r\ne97e14f57e6f9ad987e4b5079b7ba8a387115b89784958d40d1f65d79d027315\r\nDomains hosting\r\nGuLoader\r\nkalpvedafoundation[.]com\r\ncieloabiertocasahogar[.]com\r\nwww[.]cecadperu[.]com\r\nAZORult C\u0026Cs\r\nskilldrivinget[.]com/ojman/PL341//index[.]php\r\nlaninesolution[.]com/roky/PL341/index[.]php\r\ntarot-sunce[.]com/linko/PL341/index[.]php\r\neksodus[.]id/ghytoja/PL341/index[.]php\r\nlaninesolution[.]com/roky/PL341/index[.]php\r\nSource: https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/\r\nhttps://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/"
	],
	"report_names": [
		"azorult-delivered-by-guloader-malware-analysis-spotlight"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434071,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdcbc0f5234b8ed2ce8cf842c89298077726eaa9.pdf",
		"text": "https://archive.orkl.eu/cdcbc0f5234b8ed2ce8cf842c89298077726eaa9.txt",
		"img": "https://archive.orkl.eu/cdcbc0f5234b8ed2ce8cf842c89298077726eaa9.jpg"
	}
}